Sharpie · May 18, 2019 17:21
diff --git a/initialize-puppetca.sh b/initialize-puppetca.sh
 #!/bin/bash

 # Initialize a Puppet Intermediate Certificate Authority (CA) by generating
 # a RSA key and Certificate Signing Request using the OpenSSL CLI.

 # Fail if any subcommand fails.
 set -e
 # Ensure files created by this script are only accessible to the user
 # that ran the script.
 umask 0077

 # Check that OpenSSL is installed.
 printf 'Checking for openssl...\n' >&2
 openssl version >&2 || {
  printf 'This script requires the openssl command to be installed and functional.\n' >&2
  exit 1
 }

 key_output="${PWD}/puppet_ca_key.pem"
 csr_output="${PWD}/puppet_ca_csr.pem"

 for f in "${key_output}" "${csr_output}"; do
  if [[ -e "${f}" ]]; then
    printf 'An output file already exists: %s\n' "${f}" >&2
    printf 'Move it aside before running this script.\n' >&2
    exit 1
  fi
 done

 printf '\nGenerating RSA key and signing request...\n' >&2
 workdir=$(mktemp -d -t initialize-puppetca.XXX)
 # NOTE: For compatiblity with RFC 5280, ca_name should be 64 characters or less.
 ca_name="Puppet Enterprise CA generated at $(date +'%Y-%m-%d %H:%M:%S %z')"

 cat <<EOF > "${workdir}/intermediate_ca.ini"
 # See "CONFIGURATION FILE FORMAT" section of the req manpage:
 #
 #     man 1 req
 #
 # https://www.openssl.org/docs/man1.0.2/apps/openssl-req.html#CONFIGURATION-FILE-FORMAT
 [req]
 # NOTE: Setting prompt to no prevents 'openssl req' from asking
 #       the user if they wish to modify the distinguished_name
 #       or extensions.
 prompt=no

 # These settings specify other INI sections that provide configuration.
 distinguished_name = dn_data
 req_extensions = extension_data

 # See "DISTINGUISHED NAME AND ATTRIBUTE SECTION FORMAT" section of
 # the req manpage:
 #
 #     man 1 req
 #
 # https://www.openssl.org/docs/man1.0.2/apps/openssl-req.html#DISTINGUISHED-NAME-AND-ATTRIBUTE-SECTION-FORMAT
 [dn_data]
 CN="${ca_name}"

 # See the x509v3_config man page:
 #
 #     man 5 x509v3_config
 #
 # https://www.openssl.org/docs/man1.0.2/apps/x509v3_config.html
 [extension_data]
 # pathlen:0 prevents this CA from issuing subordinate CA certificates.
 basicConstraints=critical,CA:TRUE,pathlen:0
 keyUsage=critical,keyCertSign,cRLSign
 subjectKeyIdentifier=hash
 nsComment="Puppet Server Internal Certificate"
 EOF

 openssl req \
  -config "${workdir}/intermediate_ca.ini" \
  -outform PEM -out "${csr_output}" \
  -newkey rsa:4096 -sha256 \
  -keyform PEM -nodes -keyout "${key_output}" >&2

 printf '\nRSA private key created: %s\n' "${key_output}" >&2
 printf 'Keep this file somewhere safe. It will be needed during PE installation.\n' >&2

 printf '\nPEM formatted Certificate Signing Request created: %s\n' "${csr_output}" >&2
 printf 'Submit this file to your external Certificate Authority.\n' >&2

 printf '%s\n' "${csr_output}"
	#!/bin/bash

	# Initialize a Puppet Intermediate Certificate Authority (CA) by generating
	# a RSA key and Certificate Signing Request using the OpenSSL CLI.

	# Fail if any subcommand fails.
	set -e
	# Ensure files created by this script are only accessible to the user
	# that ran the script.
	umask 0077

	# Check that OpenSSL is installed.
	printf 'Checking for openssl...\n' >&2
	openssl version >&2 \|\| {
	printf 'This script requires the openssl command to be installed and functional.\n' >&2
	exit 1
	}

	key_output="${PWD}/puppet_ca_key.pem"
	csr_output="${PWD}/puppet_ca_csr.pem"

	for f in "${key_output}" "${csr_output}"; do
	if [[ -e "${f}" ]]; then
	printf 'An output file already exists: %s\n' "${f}" >&2
	printf 'Move it aside before running this script.\n' >&2
	exit 1
	fi
	done

	printf '\nGenerating RSA key and signing request...\n' >&2
	workdir=$(mktemp -d -t initialize-puppetca.XXX)
	# NOTE: For compatiblity with RFC 5280, ca_name should be 64 characters or less.
	ca_name="Puppet Enterprise CA generated at $(date +'%Y-%m-%d %H:%M:%S %z')"

	cat <<EOF > "${workdir}/intermediate_ca.ini"
	# See "CONFIGURATION FILE FORMAT" section of the req manpage:
	#
	# man 1 req
	#
	# https://www.openssl.org/docs/man1.0.2/apps/openssl-req.html#CONFIGURATION-FILE-FORMAT
	[req]
	# NOTE: Setting prompt to no prevents 'openssl req' from asking
	# the user if they wish to modify the distinguished_name
	# or extensions.
	prompt=no

	# These settings specify other INI sections that provide configuration.
	distinguished_name = dn_data
	req_extensions = extension_data

	# See "DISTINGUISHED NAME AND ATTRIBUTE SECTION FORMAT" section of
	# the req manpage:
	#
	# man 1 req
	#
	# https://www.openssl.org/docs/man1.0.2/apps/openssl-req.html#DISTINGUISHED-NAME-AND-ATTRIBUTE-SECTION-FORMAT
	[dn_data]
	CN="${ca_name}"

	# See the x509v3_config man page:
	#
	# man 5 x509v3_config
	#
	# https://www.openssl.org/docs/man1.0.2/apps/x509v3_config.html
	[extension_data]
	# pathlen:0 prevents this CA from issuing subordinate CA certificates.
	basicConstraints=critical,CA:TRUE,pathlen:0
	keyUsage=critical,keyCertSign,cRLSign
	subjectKeyIdentifier=hash
	nsComment="Puppet Server Internal Certificate"
	EOF

	openssl req \
	-config "${workdir}/intermediate_ca.ini" \
	-outform PEM -out "${csr_output}" \
	-newkey rsa:4096 -sha256 \
	-keyform PEM -nodes -keyout "${key_output}" >&2

	printf '\nRSA private key created: %s\n' "${key_output}" >&2
	printf 'Keep this file somewhere safe. It will be needed during PE installation.\n' >&2

	printf '\nPEM formatted Certificate Signing Request created: %s\n' "${csr_output}" >&2
	printf 'Submit this file to your external Certificate Authority.\n' >&2

	printf '%s\n' "${csr_output}"